Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable configuring Envoy QAT private key provider #2565

Merged
merged 5 commits into from
Nov 22, 2022
Merged

Enable configuring Envoy QAT private key provider #2565

merged 5 commits into from
Nov 22, 2022

Conversation

rveerama1
Copy link
Member

Brief background: Enabling PrivateKeyProvider through ProxyConfig was originally introduced in #2261 for CryptoMB. This PR is an addition for that. This will provide configuration for enabling QAT private key provider.

QAT support in Envoy is merged and available from envoyproxy/envoy#21984.

Next generation Intel® QAT support with Intel® Xeon® Scalable processors will feature an Intel® QAT cryptography and compression acceleration engine.

QAT private key provider extension will use qatlib library (https://github.com/intel/qatlib) to accelerate RSA operations in handshakes. The extension will look a bit like the existing cryptomb private key provider. The use case is to move the expensive cryptographic operations away from the CPU to the accelerator device, leaving CPU cycles for other use.

Additional Description:
Support for Intel® QAT is already present in the mainline Linux kernel and in Kubernetes device plugins (to expose the device files to containers). There are previous generations of Intel QAT® hardware devices, but they are not supported by this extension.

@rveerama1
Add QAT PrivateKeyProvider protobuf in ProxyConfig
75ee84c 
Private key provider configuration will be provided by
user in ProxyConfig configuration. This information will
be used to send configuration to gateway/sidecar proxies.
@rveerama1
make gen
e2491a7
@rveerama1 rveerama1 requested a review from a team as a code owner November 15, 2022 12:06
@istio-policy-bot
Copy link

😊 Welcome @rveerama1! This is either your first contribution to the Istio api repo, or it's been
awhile since you've been here.

You can learn more about the Istio working groups, code of conduct, and contributing guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Nov 15, 2022
@istio-testing istio-testing added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 15, 2022
@rveerama1 rveerama1 mentioned this pull request Nov 15, 2022
Merged
@howardjohn
Copy link
Member

I thought I saw somewhere QAT only supports OpenSSL. but Envoy uses boringssl. Did I understand wrong, or is this somehow enabling openssl?

@ipuustin
Copy link

I thought I saw somewhere QAT only supports OpenSSL. but Envoy uses boringssl. Did I understand wrong, or is this somehow enabling openssl?

QAT can be used with both OpenSSL and BoringSSL. In BoringSSL the QAT support is done using private key methods, which are hooks for overriding BoringSSL private key operations. Envoy contrib has a a QAT private key provider extension, which uses these hooks for accelerating RSA sign/decrypt operations.

@rveerama1
Copy link
Member Author

@howardjohn ping

linsun
linsun reviewed Nov 21, 2022
View reviewed changes
mesh/v1alpha1/proxy.proto Outdated Show resolved Hide resolved
linsun
linsun reviewed Nov 21, 2022
View reviewed changes
Copy link
Member

@linsun linsun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, minor comment

@istio-testing istio-testing merged commit 7a104c8 into istio:master Nov 22, 2022
@rveerama1 rveerama1 mentioned this pull request Nov 29, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardjohn howardjohn howardjohn approved these changes

@linsun linsun linsun approved these changes

@jacob-delgado jacob-delgado Awaiting requested review from jacob-delgado

@irisdingbj irisdingbj Awaiting requested review from irisdingbj

@ericvn ericvn Awaiting requested review from ericvn

Assignees
No one assigned
Labels
size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@rveerama1 @istio-policy-bot @howardjohn @ipuustin @linsun @istio-testing